I've searched for this problem with no result. I have Windows Azure AD Sync set up on a server 2012 VM and I have had a reoccurring issue with FIM. After install if I ever reboot the FIM service will not start and sync will not happen as a result. It works 100% fine if I never reboot or if the server never goes down, but the moment I reboot I get an Error 1069 service did not start due to logon failure. If I uninstall and reinstall it works fine but its frustrating to have to spend an hour or 2 reinstalling Azure AD Sync every time the server gets windows updates. I had initially thought maybe it was a problem with the VM and installed the service on a brand new Win08r2 VM but got the same problem. It seems to be a configuration problem with the services or with my AD tree. Any help would be appreciated

We are also seeing this on a windows 2008R2 physical member server.  We are using this for Office 365 directory synchronization. 

We have tried adding the logon account to the local administrators group, changing the password on the account, then finally removing and re-installing (The only one that seems to work).

Any thoughts?

Nathan,

Two things I would look at.........you stated that the event log shows a logon failure error. I would suspect that when you perform the install and designate the service account, the install program provides a user right such as 'log on as a service'. You possibly could have GPOs or local policy set that ultimately takes this away or possibly puts it in 'deny log on as a service'. You would only see this after some time during a service restart, which of course a reboot would expose.

The other possibility, much less likely based on what you have reported, is that the service account is attempting to get to the Internet looking for a CRL as FIM 2010 R2 service does CRL checking by default. If this is the case, you can turn this off in a variety of ways.

http://social.technet.microsoft.com/wiki/contents/articles/13946.fim-troubleshooting-fim-service-start-up-timeout.aspx

If I could add to Glenn's post, go to your AD and in the Users container, look for the domain account that was added during installation of DirSync.

It has a very long description explaining that Azure DirSync added it, and probably starts with MSO.

Add this domain account to the group policy that controls the Run As Service for the server that has your DirSync installed.  This account will not match the actual local account on the server that you see the ForeFront Identity Manager and the Windows Azure Active Directory Syn services, but they are tied together.

After you have added the domain MSOxxxxxxxxx account to the Run As Service policy, gpudate your dirsync server and then go in and start the Windows Azure AD Sync service - it'll automatically start the ForeFront Identity service.

I struggled with this and just wanted to help anyone else looking for details.

Hi Guys,

I experience exactly the same issue.

I have reinstalled the server on a 2008 R2 (coming from a 2012).

As soon as I reboot the server, FIM service is not starting and if I try to start it manually, I get a Logon Failure in the evnet log.

I have created a special OU with no GPO to be sure the logon as a service right doesn't get messed up on that server by any GPO.

One thing I have noticed is te serice account is a local to the FIM server, not an AD account.

This happens at each install I have tried.

I don't know if you already found a solution to that.

Any comment/help welcome

Fabian

To add to Glenn's reply, if you are having internet difficulties you may try to increase the service timeout value also.  This has worked for me numerous times.

check out this post. http://social.technet.microsoft.com/Forums/en-US/853796a7-b446-43de-a9f0-138795f7b42d/fim-2010-r2-fimservice-suddenly-stops-working-wont-start

Good luck,

Peter